Web Application Detections Published in June 2025
In June, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including:
Next.js, DataTables, Billboard.js, OpenPGP.js, phpwcms, Laravel, Squid, Kibana, Liferay Portal, Apache Traffic Server, SAP, Traefik, Roundcube Webmail, Apache Tomcat, WordPress, Zimbra, Apache Superset, Moodle, Gradio, Adobe Magento, Craft CMS, Gladinet CentreStack, Teltonika, Cisco, ConnectWise ScreenConnect, Siemens, GitLab, Mattermost, GeoServer, NetScaler, Dify, FastGPT, FortiMail, JetBrains TeamCity and Adobe.
QIDs Released to Detect Vulnerabilities in These Frameworks
Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Immediate resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. If not addressed, these vulnerabilities can pose security risks, such as breaches, unauthorized access, and various malicious activities.
List of QIDs Released
| QID | Title |
| 151059 | Next.js Race Condition Vulnerability (CVE-2025-32421) |
| 151060 | Next.js Information Exposure Vulnerability (CVE-2025-48068) |
| 151061 | DataTables Prototype Pollution Vulnerability (CVE-2020-28458) |
| 151062 | DataTables Cross-Site Scripting (XSS) Vulnerability (CVE-2021-23445) |
| 151063 | Billboard.js Prototype Pollution Vulnerability (CVE-2025-49223) |
| 151064 | OpenPGP.js Signature Verification Bypass Vulnerability (CVE-2025-47934) |
| 520051 | phpwcms Multiple Deserialization Vulnerabilities (CVE-2025-5497, CVE-2025-5498, CVE-2025-5499) |
| 520052 | Laravel File Validation Bypass Vulnerability (CVE-2025-27515) |
| 520053 | Squid Denial of Service Vulnerability (CVE-2024-45802) |
| 520054 | Kibana Improper Authorization Vulnerability (CVE-2024-43706) |
| 520055 | Liferay Portal Denial of Service Vulnerability (CVE-2025-3602) |
| 520056 | Apache Traffic Server Denial of Service Vulnerability (CVE-2025-49763) |
| 520057 | Apache Traffic Server Improper Access Control Vulnerability (CVE-2025-31698) |
| 520058 | Apache Traffic Server Chunked Request Smuggling Vulnerability (CVE-2024-53868) |
| 520059 | Liferay Portal Path Traversal Vulnerability (CVE-2025-3594) |
| 520060 | Liferay Portal Denial of Service Vulnerability (CVE-2025-3526) |
| 520061 | Kibana Open Redirect Vulnerability (CVE-2025-25012) |
| 530072 | SAP NetWeaver Visual Composer Development Server Insecure Deserialization Vulnerability (CVE-2025-42999) |
| 530133 | Traefik Path Traversal Vulnerability (CVE-2025-47952) |
| 530134 | Roundcube Webmail Remote Code Execution (RCE) Vulnerability (CVE-2025-49113) |
| 530135 | Apache Tomcat CGI Security Constraint Bypass Vulnerability (CVE-2025-46701) |
| 530136 | WordPress Newsletters Plugin: Local File Inclusion Vulnerability (CVE-2025-4857) |
| 530137 | WordPress Newsletters Plugin: Local File Inclusion Vulnerability (CVE-2025-4857) |
| 530138 | Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2024-45515) |
| 530139 | Apache Superset SQL Injection Vulnerability (CVE-2025-48912) |
| 530140 | Moodle AJAX Section Deletion Permission Bypass Vulnerability (CVE-2025-3644) |
| 530141 | Moodle Remote Code Execution Vulnerability (CVE-2025-3641) |
| 530142 | Gradio Arbitrary File Copy via Flagging Feature (CVE-2025-48889) |
| 530143 | Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3640) |
| 530144 | Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-3635) |
| 530145 | WordPress AI Engine Plugin: Arbitrary File Upload Vulnerability (CVE-2023-51409) |
| 530146 | WordPress PSW Front-end Login and Registration Plugin: Privilege Escalation Vulnerability (CVE-2025-4607) |
| 530147 | WordPress WP-GeoMeta Plugin: Privilege Escalation Vulnerability (CVE-2025-4103) |
| 530148 | Grafana Authorization Bypass Vulnerability (CVE-2025-3454) |
| 530149 | Moodle Missing Authorization Vulnerability (CVE-2025-32045) |
| 530150 | WordPress Offsprout Page Builder Plugin: Privilege Escalation Vulnerability (CVE-2025-4672) |
| 530151 | Moodle Unauthenticated REST API User Data Exposure Vulnerability (CVE-2025-32044) |
| 530152 | WordPress Simple Page Access Restriction Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-5142) |
| 530153 | WordPress File Provider Plugin: SQL Injection Vulnerability (CVE-2025-4578) |
| 530154 | WordPress OpenSheetMusicDisplay Plugin: Cross-Site Scripting Vulnerability (CVE-2025-5235) |
| 530155 | Adobe Magento Improper Access Control Security Feature Bypass Vulnerability (CVE-2025-27190) |
| 530156 | Craft CMS Arbitrary Content Storage Vulnerability (CVE-2025-35939) |
| 530157 | Adobe Magento Improper Access Control Bypass Vulnerability (CVE-2025-27191) |
| 530158 | Adobe Magento Improper Authorization Vulnerability (CVE-2025-27188) |
| 530159 | Adobe Magento Insufficiently Protected Credentials Bypass Vulnerability (CVE-2025-27192) |
| 530160 | Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability (CVE-2025-30406) |
| 530161 | WordPress Eventin Plugin: Privilege Escalation Vulnerability (CVE-2025-47539) |
| 530162 | WordPress LA-Studio Element Kit for Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2025-4943) |
| 530163 | Teltonika RUT9XX Unauthenticated OS Command Injection Vulnerability (CVE-2018-17532) |
| 530164 | Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) |
| 530165 | WordPress Sunshine Photo Cart Plugin: Privilege Escalation Vulnerability (CVE-2025-5482) |
| 530166 | WordPress Store Locator WordPress Plugin: SQL Injection Vulnerability (CVE-2025-49328) |
| 530167 | WordPress HyperComments Plugin: Missing Authorization Vulnerability (CVE-2025-5701) |
| 530168 | ConnectWise ScreenConnect ViewState Code Injection Vulnerability (CVE-2025-3935) |
| 530172 | Siemens SINEC NMS Detected |
| 530173 | WordPress Membership For WooCommerce Plugin: Missing Authorization Vulnerability (CVE-2025-49265) |
| 530174 | WordPress One-Login Plugin: Privilege Escalation Vulnerability (CVE-2025-23974) |
| 530175 | WordPress Stock Locations for WooCommerce Plugin: Missing Authorization Vulnerability (CVE-2025-47463) |
| 530176 | GitLab CE/EE Kubernetes Denial of Service Vulnerability (CVE-2025-3111) |
| 530177 | GitLab CE/EE Denial of Service Vulnerability (CVE-2025-2853) |
| 530178 | Apache Tomcat Authentication Bypass Vulnerability (CVE-2025-49125) |
| 530179 | Apache Tomcat Denial-of-Service (DoS) Vulnerability (CVE-2025-48988) |
| 530180 | Apache Tomcat Untrusted Search Path Vulnerability (CVE-2025-49124) |
| 530181 | Mattermost Guest User API Team Information Disclosure Vulnerability (CVE-2025-4128) |
| 530182 | Mattermost LDAP Group ID Attribute Injection Vulnerability (CVE-2025-4573) |
| 530183 | GeoServer GeoWebCache Sensitive Information Exposure Vulnerability (CVE-2024-38524) |
| 530184 | GeoServer REST API Index Unauthorized Access Vulnerability (CVE-2025-27505) |
| 530185 | GeoServer TestWfsPost Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-29198, CVE-2021-40822) |
| 530186 | Mattermost Google OAuth Credential Disclosure Vulnerability (CVE-2025-2571) |
| 530187 | Mattermost Unvalidated Personal Access Token Deactivation Vulnerability (CVE-2025-3230) |
| 530189 | WordPress CubeWP Plugin: Privilege Escalation Vulnerability (CVE-2025-4315) |
| 530190 | WordPress WP VR Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47452) |
| 530191 | GeoServer XML External Entity (XXE) Processing Vulnerability (CVE-2025-30220) |
| 530192 | Mattermost Guest Access Control Vulnerability (CVE-2025-1792) |
| 530193 | Mattermost System Manager Access Control Enforcement Vulnerability (CVE-2025-3611) |
| 530194 | WordPress Ivory Search Plugin: Cross-Site Scripting Vulnerability (CVE-2025-5209) |
| 530195 | WordPress s2Member Pro Plugin: Local File Inclusion Vulnerability (CVE-2024-12563) |
| 530196 | WordPress WP Job Portal Plugin: SQL Injection Vulnerability (CVE-2025-48274) |
| 530197 | WordPress WP Marketing Automations Plugin: Missing Authorization Vulnerability (CVE-2025-1562) |
| 530198 | NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Improper Access Control Vulnerability (CVE-2025-5349) |
| 530199 | NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Insufficient Input Validation Vulnerability (CVE-2025-5777) |
| 530200 | Dify Cross-site Scripting Vulnerability (CVE-2025-49149) |
| 530201 | WordPress PixelYourSite Plugin: Unauthenticated PHP Object Injection Vulnerability (CVE-2024-0769) |
| 530202 | FastGPT Improper Input Validation Vulnerability (CVE-2025-52552) |
| 530203 | FastGPT Server-Side Request Forgery Vulnerability (CVE-2025-27600) |
| 530204 | Mattermost Arbitrary File Write Vulnerability (CVE-2025-4981) |
| 530205 | Mattermost Channel Validation Failure Vulnerability (CVE-2024-39274) |
| 530206 | WordPress AI Engine Plugin: Insufficient Authorization Vulnerability (CVE-2025-5071) |
| 530207 | WordPress CSV Me Plugin: Arbitrary File Upload Vulnerability (CVE-2025-6086) |
| 530208 | FortiMail Stack-based Buffer Overflow Vulnerability (CVE-2025-32756) |
| 530209 | FortiMail Authentication Bypass Vulnerability (CVE-2023-47539) |
| 530210 | JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities (CVE-2025-52875, CVE-2025-52876, CVE-2025-52877, CVE-2025-52879) |
| 530211 | JetBrains TeamCity Usernames Exposure Vulnerability (CVE-2025-52878) |
| 530212 | Mattermost Unauthorized Channel Member Management Vulnerability (CVE-2025-3227) |
| 530213 | Mattermost Guest User Playbook Run Exposure Vulnerability (CVE-2025-3228) |
| 530214 | Roundcube Webmail Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-42008, CVE-2024-42009) |
| 530215 | WordPress Ultra Addons for Contact Form 7 Plugin: Arbitrary File Upload Vulnerability (CVE-2025-6220) |
| 530216 | Roundcube Webmail Sensitive Information Exposure Vulnerability (CVE-2024-42010) |
| 530217 | WordPress Classified Listing Plugin: Local File Inclusion Vulnerability (CVE-2025-52715) |
| 530218 | WordPress WP Roadmap Plugin: SQL Injection Vulnerability (CVE-2025-52822) |
| 530219 | WordPress WP User Stylesheet Switcher Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-52792) |
| 530220 | WordPress Import YouTube videos as WP Posts Plugin: Missing Authorization Vulnerability (CVE-2025-52802) |
| 530221 | NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Memory Overflow Vulnerability (CVE-2025-6543) |
| 530222 | Adobe Magento Server-Side Request Forgery Vulnerability (CVE-2024-34111) |
| 530223 | Adobe Magento Improper Authentication Vulnerability (CVE-2024-34103) |
| 530225 | Adobe Magento Cross-Site Scripting Vulnerability (CVE-2024-34105) |
| 530226 | Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2025-48700) |
| 530227 | GitLab CE/EE Cross-Site Request Forgery (CSRF) GraphQL Mutation Execution Vulnerability (CVE-2025-4994) |
| 530228 | GitLab CE/EE Cross-site Scripting Vulnerability (CVE-2025-2443) |
| 530229 | GitLab CE/EE Compliance Framework Authorization Bypass Vulnerability (CVE-2025-5121) |
| 530233 | Grafana Information Disclosure Vulnerability (CVE-2025-3415) |
What’s Next
Leverage the QID list to guide your remediation efforts and strengthen your risk posture.
Looking for more context or remediation tips? Head to Qualys KnowledgeBase for detailed analysis, actionable guidance, and expert-backed support.